On 31 January 2023, the European Banking Authority (EBA) issued three new Q&As which together with three existing Q&As clarify the application of strong customer authentication (SCA) to the enrolment of a payment card to a digital wallet and to the initiation of payment transactions with digitised versions of a payment card. They also clarify the requirements applicable to the outsourcing of the application of SCA to digital wallet providers.

In terms of outsourcing, the Q&As clarify that issuers may outsource the provision and verification of the elements of SCA to a third party, such as a digital wallet provider, in compliance with the general requirements on outsourcing, including the requirements of the EBA guidelines on outsourcing arrangements. However, the responsibility for compliance with the SCA requirements cannot be outsourced and issuers remain fully responsible for the compliance with the requirements in the revised Payment Services Directive and the regulatory technical standards (RTS) on SCA and common secure communications.